/*
- * "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $"
+ * "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $"
*
* Authorization routines for the Common UNIX Printing System (CUPS).
*
- * Copyright 2007-2008 by Apple Inc.
+ * Copyright 2007-2009 by Apple Inc.
* Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
* This file contains Kerberos support code, copyright 2006 by
static char *cups_crypt(const char *pw, const char *salt);
#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
#ifdef HAVE_GSSAPI
-static gss_cred_id_t get_gss_creds(const char *service_name);
+static gss_cred_id_t get_gss_creds(const char *service_name,
+ const char *con_server_name);
#endif /* HAVE_GSSAPI */
static char *get_md5_password(const char *username,
const char *group, char passwd[33]);
* Initialize the record and copy the name over...
*/
- temp->location = strdup(location);
- temp->length = strlen(temp->location);
+ if ((temp->location = strdup(location)) == NULL)
+ {
+ free(temp);
+ return (NULL);
+ }
+
+ temp->length = strlen(temp->location);
cupsArrayAdd(Locations, temp);
* Allow *interface*...
*/
- temp->type = AUTH_INTERFACE;
+ temp->type = CUPSD_AUTH_INTERFACE;
temp->mask.name.name = strdup("*");
temp->mask.name.length = 1;
}
*ifptr = '\0';
}
- temp->type = AUTH_INTERFACE;
+ temp->type = CUPSD_AUTH_INTERFACE;
temp->mask.name.name = strdup(ifname);
temp->mask.name.length = ifptr - ifname;
}
* Allow name...
*/
- temp->type = AUTH_NAME;
+ temp->type = CUPSD_AUTH_NAME;
temp->mask.name.name = strdup(name);
temp->mask.name.length = strlen(name);
}
*/
void
-cupsdAllowIP(cupsd_location_t *loc, /* I - Location to add to */
- unsigned address[4], /* I - IP address to add */
- unsigned netmask[4]) /* I - Netmask of address */
+cupsdAllowIP(
+ cupsd_location_t *loc, /* I - Location to add to */
+ const unsigned address[4], /* I - IP address to add */
+ const unsigned netmask[4]) /* I - Netmask of address */
{
cupsd_authmask_t *temp; /* New host/domain mask */
if ((temp = add_allow(loc)) == NULL)
return;
- temp->type = AUTH_IP;
+ temp->type = CUPSD_AUTH_IP;
memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address));
memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
}
char *ptr, /* Pointer into string */
username[256], /* Username string */
password[33]; /* Password string */
- const char *localuser; /* Certificate username */
+ cupsd_cert_t *localuser; /* Certificate username */
char nonce[HTTP_MAX_VALUE], /* Nonce value from client */
md5[33], /* MD5 password */
basicmd5[33]; /* MD5 of Basic password */
*/
con->best = cupsdFindBest(con->uri, con->http.state);
- con->type = AUTH_NONE;
+ con->type = CUPSD_AUTH_NONE;
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdAuthorize: con->uri=\"%s\", con->best=%p(%s)",
con->uri, con->best, con->best ? con->best->location : "");
- if (con->best && con->best->type != AUTH_NONE)
+ if (con->best && con->best->type != CUPSD_AUTH_NONE)
{
- if (con->best->type == AUTH_DEFAULT)
+ if (con->best->type == CUPSD_AUTH_DEFAULT)
type = DefaultAuthType;
else
type = con->best->type;
return;
}
- if ((status = AuthorizationCopyInfo(con->authref,
- kAuthorizationEnvironmentUsername,
- &authinfo)) != 0)
+ strlcpy(username, "_AUTHREF_", sizeof(username));
+
+ if (!AuthorizationCopyInfo(con->authref, kAuthorizationEnvironmentUsername,
+ &authinfo))
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "AuthorizationCopyInfo returned %d (%s)",
- (int)status, cssmErrorString(status));
- return;
+ if (authinfo->count == 1 && authinfo->items[0].value &&
+ authinfo->items[0].valueLength >= 2)
+ strlcpy(username, authinfo->items[0].value, sizeof(username));
+
+ AuthorizationFreeItemSet(authinfo);
}
-
- if (authinfo->count == 1)
- strlcpy(username, authinfo->items[0].value, sizeof(username));
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Authorized as %s using AuthRef",
+ "cupsdAuthorize: Authorized as \"%s\" using AuthRef",
username);
-
- AuthorizationFreeItemSet(authinfo);
-
- con->type = AUTH_BASIC;
+ con->type = CUPSD_AUTH_BASIC;
}
#endif /* HAVE_AUTHORIZATION_H */
#if defined(SO_PEERCRED) && defined(AF_LOCAL)
"cupsdAuthorize: Authorized as %s using PeerCred",
username);
- con->type = AUTH_BASIC;
+ con->type = CUPSD_AUTH_BASIC;
}
#endif /* SO_PEERCRED && AF_LOCAL */
else if (!strncmp(authorization, "Local", 5) &&
if ((localuser = cupsdFindCert(authorization)) != NULL)
{
- strlcpy(username, localuser, sizeof(username));
+ strlcpy(username, localuser->username, sizeof(username));
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdAuthorize: Authorized as %s using Local",
return;
}
- con->type = AUTH_BASIC;
+#ifdef HAVE_GSSAPI
+ if (localuser->ccache)
+ con->type = CUPSD_AUTH_NEGOTIATE;
+ else
+#endif /* HAVE_GSSAPI */
+ con->type = CUPSD_AUTH_BASIC;
}
else if (!strncmp(authorization, "Basic", 5))
{
switch (type)
{
default :
- case AUTH_BASIC :
+ case CUPSD_AUTH_BASIC :
{
#if HAVE_LIBPAM
/*
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: pam_start() returned %d (%s)!\n",
+ "cupsdAuthorize: pam_start() returned %d (%s)!",
pamerr, pam_strerror(pamh, pamerr));
- pam_end(pamh, 0);
return;
}
-# if defined(HAVE_PAM_SET_ITEM) && defined(PAM_RHOST)
+# ifdef HAVE_PAM_SET_ITEM
+# ifdef PAM_RHOST
pamerr = pam_set_item(pamh, PAM_RHOST, con->http.hostname);
if (pamerr != PAM_SUCCESS)
cupsdLogMessage(CUPSD_LOG_WARN,
- "cupsdAuthorize: pam_set_item() returned %d "
- "(%s)!\n", pamerr, pam_strerror(pamh, pamerr));
-# endif /* HAVE_PAM_SET_ITEM && PAM_RHOST */
+ "cupsdAuthorize: pam_set_item(PAM_RHOST) "
+ "returned %d (%s)!", pamerr,
+ pam_strerror(pamh, pamerr));
+# endif /* PAM_RHOST */
+
+# ifdef PAM_TTY
+ pamerr = pam_set_item(pamh, PAM_TTY, "cups");
+ if (pamerr != PAM_SUCCESS)
+ cupsdLogMessage(CUPSD_LOG_WARN,
+ "cupsdAuthorize: pam_set_item(PAM_TTY) "
+ "returned %d (%s)!", pamerr,
+ pam_strerror(pamh, pamerr));
+# endif /* PAM_TTY */
+# endif /* HAVE_PAM_SET_ITEM */
+
+# ifdef HAVE_PAM_SETCRED
+ pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ if (pamerr != PAM_SUCCESS)
+ cupsdLogMessage(CUPSD_LOG_WARN,
+ "cupsdAuthorize: pam_setcred() "
+ "returned %d (%s)!", pamerr,
+ pam_strerror(pamh, pamerr));
+# endif /* HAVE_PAM_SETCRED */
pamerr = pam_authenticate(pamh, PAM_SILENT);
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"cupsdAuthorize: pam_authenticate() returned %d "
- "(%s)!\n",
+ "(%s)!",
pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"cupsdAuthorize: pam_acct_mgmt() returned %d "
- "(%s)!\n",
+ "(%s)!",
pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: AIX authenticate of username \"%s\"",
- username);
+ "cupsdAuthorize: AIX authenticate of username "
+ "\"%s\"", username);
reenter = 1;
if (authenticate(username, password, &reenter, &authmsg) != 0)
username);
break;
- case AUTH_BASICDIGEST :
+ case CUPSD_AUTH_BASICDIGEST :
/*
* Do Basic authentication with the Digest password file...
*/
"cupsdAuthorize: Authorized as %s using Digest",
username);
- con->type = AUTH_DIGEST;
+ con->type = CUPSD_AUTH_DIGEST;
}
#ifdef HAVE_GSSAPI
else if (!strncmp(authorization, "Negotiate", 9))
* Get the server credentials...
*/
- if ((server_creds = get_gss_creds(GSSServiceName)) == NULL)
+ if ((server_creds = get_gss_creds(GSSServiceName, con->servername)) == NULL)
return;
/*
con->gss_have_creds = 1;
- con->type = AUTH_NEGOTIATE;
+ con->type = CUPSD_AUTH_NEGOTIATE;
}
else
gss_release_name(&minor_status, &client_name);
allow = 0; /* anti-compiler-warning-code */
break;
- case AUTH_ALLOW : /* Order Deny,Allow */
+ case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */
allow = 1;
if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny))
allow = 1;
break;
- case AUTH_DENY : /* Order Allow,Deny */
+ case CUPSD_AUTH_DENY : /* Order Allow,Deny */
allow = 0;
if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow))
{
switch (masks->type)
{
- case AUTH_INTERFACE :
+ case CUPSD_AUTH_INTERFACE :
/*
* Check for a match with a network interface...
*/
}
break;
- case AUTH_NAME :
+ case CUPSD_AUTH_NAME :
/*
* Check for exact name match...
*/
return (1);
break;
- case AUTH_IP :
+ case CUPSD_AUTH_IP :
/*
* Check for IP/network address match...
*/
struct passwd *user, /* I - System user info */
const char *groupname) /* I - Group name */
{
- int i; /* Looping var */
- struct group *group; /* System group info */
- char junk[33]; /* MD5 password (not used) */
+ int i; /* Looping var */
+ struct group *group; /* System group info */
+ char junk[33]; /* MD5 password (not used) */
#ifdef HAVE_MBR_UID_TO_UUID
- uuid_t useruuid, /* UUID for username */
- groupuuid; /* UUID for groupname */
- int is_member; /* True if user is a member of group */
+ uuid_t useruuid, /* UUID for username */
+ groupuuid; /* UUID for groupname */
+ int is_member; /* True if user is a member of group */
#endif /* HAVE_MBR_UID_TO_UUID */
* Check group membership through MacOS X membership API...
*/
- if (user && group)
- if (!mbr_uid_to_uuid(user->pw_uid, useruuid))
+ if (user && !mbr_uid_to_uuid(user->pw_uid, useruuid))
+ {
+ if (group)
+ {
+ /*
+ * Map group name to UUID and check membership...
+ */
+
if (!mbr_gid_to_uuid(group->gr_gid, groupuuid))
- if (!mbr_check_membership(useruuid, groupuuid, &is_member))
+ if (!mbr_check_membership(useruuid, groupuuid, &is_member))
if (is_member)
return (1);
+ }
+ else if (groupname[0] == '#')
+ {
+ /*
+ * Use UUID directly and check for equality (user UUID) and
+ * membership (group UUID)...
+ */
+
+ if (!uuid_parse((char *)groupname + 1, groupuuid))
+ {
+ if (!uuid_compare(useruuid, groupuuid))
+ return (1);
+ else if (!mbr_check_membership(useruuid, groupuuid, &is_member))
+ if (is_member)
+ return (1);
+ }
+
+ return (0);
+ }
+ }
+ else if (groupname[0] == '#')
+ return (0);
#endif /* HAVE_MBR_UID_TO_UUID */
/*
for (i = 0; i < temp->num_allow; i ++)
switch (temp->allow[i].type = (*loc)->allow[i].type)
{
- case AUTH_NAME :
+ case CUPSD_AUTH_NAME :
temp->allow[i].mask.name.length = (*loc)->allow[i].mask.name.length;
temp->allow[i].mask.name.name = strdup((*loc)->allow[i].mask.name.name);
return (NULL);
}
break;
- case AUTH_IP :
+ case CUPSD_AUTH_IP :
memcpy(&(temp->allow[i].mask.ip), &((*loc)->allow[i].mask.ip),
sizeof(cupsd_ipmask_t));
break;
for (i = 0; i < temp->num_deny; i ++)
switch (temp->deny[i].type = (*loc)->deny[i].type)
{
- case AUTH_NAME :
+ case CUPSD_AUTH_NAME :
temp->deny[i].mask.name.length = (*loc)->deny[i].mask.name.length;
temp->deny[i].mask.name.name = strdup((*loc)->deny[i].mask.name.name);
return (NULL);
}
break;
- case AUTH_IP :
+ case CUPSD_AUTH_IP :
memcpy(&(temp->deny[i].mask.ip), &((*loc)->deny[i].mask.ip),
sizeof(cupsd_ipmask_t));
break;
free(loc->names);
for (i = loc->num_allow, mask = loc->allow; i > 0; i --, mask ++)
- if (mask->type == AUTH_NAME || mask->type == AUTH_INTERFACE)
+ if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
free(mask->mask.name.name);
if (loc->num_allow > 0)
free(loc->allow);
for (i = loc->num_deny, mask = loc->deny; i > 0; i --, mask ++)
- if (mask->type == AUTH_NAME || mask->type == AUTH_INTERFACE)
+ if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
free(mask->mask.name.name);
if (loc->num_deny > 0)
* Deny *interface*...
*/
- temp->type = AUTH_INTERFACE;
+ temp->type = CUPSD_AUTH_INTERFACE;
temp->mask.name.name = strdup("*");
temp->mask.name.length = 1;
}
*ifptr = '\0';
}
- temp->type = AUTH_INTERFACE;
+ temp->type = CUPSD_AUTH_INTERFACE;
temp->mask.name.name = strdup(ifname);
temp->mask.name.length = ifptr - ifname;
}
* Deny name...
*/
- temp->type = AUTH_NAME;
+ temp->type = CUPSD_AUTH_NAME;
temp->mask.name.name = strdup(name);
temp->mask.name.length = strlen(name);
}
void
cupsdDenyIP(cupsd_location_t *loc, /* I - Location to add to */
- unsigned address[4],/* I - IP address to add */
- unsigned netmask[4])/* I - Netmask of address */
+ const unsigned address[4],/* I - IP address to add */
+ const unsigned netmask[4])/* I - Netmask of address */
{
cupsd_authmask_t *temp; /* New host/domain mask */
if ((temp = add_deny(loc)) == NULL)
return;
- temp->type = AUTH_IP;
+ temp->type = CUPSD_AUTH_IP;
memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address));
memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
}
*best; /* Best match for location so far */
int bestlen; /* Length of best match */
int limit; /* Limit field */
- static const int limits[] = /* Map http_status_t to AUTH_LIMIT_xyz */
+ static const int limits[] = /* Map http_status_t to CUPSD_AUTH_LIMIT_xyz */
{
- AUTH_LIMIT_ALL,
- AUTH_LIMIT_OPTIONS,
- AUTH_LIMIT_GET,
- AUTH_LIMIT_GET,
- AUTH_LIMIT_HEAD,
- AUTH_LIMIT_POST,
- AUTH_LIMIT_POST,
- AUTH_LIMIT_POST,
- AUTH_LIMIT_PUT,
- AUTH_LIMIT_PUT,
- AUTH_LIMIT_DELETE,
- AUTH_LIMIT_TRACE,
- AUTH_LIMIT_ALL,
- AUTH_LIMIT_ALL
+ CUPSD_AUTH_LIMIT_ALL,
+ CUPSD_AUTH_LIMIT_OPTIONS,
+ CUPSD_AUTH_LIMIT_GET,
+ CUPSD_AUTH_LIMIT_GET,
+ CUPSD_AUTH_LIMIT_HEAD,
+ CUPSD_AUTH_LIMIT_POST,
+ CUPSD_AUTH_LIMIT_POST,
+ CUPSD_AUTH_LIMIT_POST,
+ CUPSD_AUTH_LIMIT_PUT,
+ CUPSD_AUTH_LIMIT_PUT,
+ CUPSD_AUTH_LIMIT_DELETE,
+ CUPSD_AUTH_LIMIT_TRACE,
+ CUPSD_AUTH_LIMIT_ALL,
+ CUPSD_AUTH_LIMIT_ALL
};
best = con->best;
- if ((type = best->type) == AUTH_DEFAULT)
+ if ((type = best->type) == CUPSD_AUTH_DEFAULT)
type = DefaultAuthType;
cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdIsAuthorized: level=AUTH_%s, type=%s, "
- "satisfy=AUTH_SATISFY_%s, num_names=%d",
+ "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, "
+ "satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d",
levels[best->level], types[type],
best->satisfy ? "ANY" : "ALL", best->num_names);
- if (best->limit == AUTH_LIMIT_IPP)
+ if (best->limit == CUPSD_AUTH_LIMIT_IPP)
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)",
best->op, ippOpString(best->op));
hostlen = strlen(con->http.hostname);
auth = cupsdCheckAccess(address, con->http.hostname, hostlen, best)
- ? AUTH_ALLOW : AUTH_DENY;
+ ? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY;
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=AUTH_%s...",
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...",
auth ? "DENY" : "ALLOW");
- if (auth == AUTH_DENY && best->satisfy == AUTH_SATISFY_ALL)
+ if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL)
return (HTTP_FORBIDDEN);
#ifdef HAVE_SSL
if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls &&
strcasecmp(con->http.hostname, "localhost") &&
- best->satisfy == AUTH_SATISFY_ALL) &&
- !(type == AUTH_NEGOTIATE ||
- (type == AUTH_NONE && DefaultAuthType == AUTH_NEGOTIATE)))
+ best->satisfy == CUPSD_AUTH_SATISFY_ALL) &&
+ !(type == CUPSD_AUTH_NEGOTIATE ||
+ (type == CUPSD_AUTH_NONE && DefaultAuthType == CUPSD_AUTH_NEGOTIATE)))
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: Need upgrade to TLS...");
* Now see what access level is required...
*/
- if (best->level == AUTH_ANON || /* Anonymous access - allow it */
- (type == AUTH_NONE && best->num_names == 0))
+ if (best->level == CUPSD_AUTH_ANON || /* Anonymous access - allow it */
+ (type == CUPSD_AUTH_NONE && best->num_names == 0))
return (HTTP_OK);
- if (!con->username[0] && type == AUTH_NONE &&
- best->limit == AUTH_LIMIT_IPP)
+ if (!con->username[0] && type == CUPSD_AUTH_NONE &&
+ best->limit == CUPSD_AUTH_LIMIT_IPP)
{
/*
* Check for unauthenticated username...
attr->values[0].string.text);
strlcpy(username, attr->values[0].string.text, sizeof(username));
}
- else if (best->satisfy == AUTH_SATISFY_ALL || auth == AUTH_DENY)
+ else if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
else
return (HTTP_OK); /* unless overridden with Satisfy */
if (!con->username[0])
#endif /* HAVE_AUTHORIZATION_H */
{
- if (best->satisfy == AUTH_SATISFY_ALL || auth == AUTH_DENY)
+ if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
else
return (HTTP_OK); /* unless overridden with Satisfy */
}
- if (con->type != type && type != AUTH_NONE &&
- (con->type != AUTH_BASIC || type != AUTH_BASICDIGEST))
+ if (con->type != type && type != CUPSD_AUTH_NONE &&
+ (con->type != CUPSD_AUTH_BASIC || type != CUPSD_AUTH_BASICDIGEST))
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s!",
types[con->type], types[type]);
else
pw = NULL;
- if (best->level == AUTH_USER)
+ if (best->level == CUPSD_AUTH_USER)
{
/*
* If there are no names associated with this location, then
return (HTTP_OK);
}
- return (HTTP_UNAUTHORIZED);
+ return (HTTP_FORBIDDEN);
}
#endif /* HAVE_AUTHORIZATION_H */
return (HTTP_OK);
}
- return (HTTP_UNAUTHORIZED);
+ return (HTTP_FORBIDDEN);
}
/*
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: User not in group(s)!");
- return (HTTP_UNAUTHORIZED);
+ return (HTTP_FORBIDDEN);
}
*/
static gss_cred_id_t /* O - Server credentials */
-get_gss_creds(const char *service_name) /* I - Service name */
+get_gss_creds(
+ const char *service_name, /* I - Service name */
+ const char *con_server_name) /* I - Hostname of server */
{
OM_uint32 major_status, /* Major status code */
minor_status; /* Minor status code */
gss_cred_id_t server_creds; /* Server credentials */
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
/* Service name token */
- char buf[1024], /* Service name buffer */
- fqdn[HTTP_MAX_URI]; /* Hostname of server */
+ char buf[1024]; /* Service name buffer */
- snprintf(buf, sizeof(buf), "%s@%s", service_name,
- httpGetHostname(NULL, fqdn, sizeof(fqdn)));
+ snprintf(buf, sizeof(buf), "%s@%s", service_name, con_server_name);
token.value = buf;
token.length = strlen(buf);
/*
- * End of "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $".
+ * End of "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $".
*/